A free Have I Been Pwned alternative
Have I Been Pwned is the world's breach database - Cactus's password check even runs on its data. What Cactus adds is a plain-language front door: clear results and next steps, in English or French, free, no signup.
What Have I Been Pwned is good at
Have I Been Pwned (HIBP) is where the world checks whether an email address has turned up in a data breach. Australian security researcher Troy Hunt has run it since 2013, and it has indexed billions of breached accounts - free for individuals. You can search your email address and subscribe to "Notify me" alerts for future breaches; businesses can pay for domain monitoring and API access. Its Pwned Passwords database answers billions of queries a month and sits behind password managers and websites everywhere. HIBP isn't really a competitor here - it's the reference point for breach data, and Cactus gladly builds on Troy Hunt's work.
What Cactus does
Cactus gives you two breach checks, in English and French:
- The email breach check shows whether your address appears in known breaches - with dates and what was exposed. Your address is never stored or logged.
- The password breach check hashes your password right in your browser and sends only a 5-character fragment (k-anonymity). The password itself never leaves your device.
Every result ends with plain next steps: which password to change first, where to turn on two-factor authentication, and what to do after a password breach. There's also a breach directory you can search in either language. No account, no signup, nothing to install.
Where the data comes from
Credit where it's due. The password check queries HIBP's own Pwned Passwords database - the same data you'd get on HIBP's site. The breach directory merges HIBP's public breach list (shared under a CC BY 4.0 licence) with XposedOrNot, an independent free index. The email lookup runs on XposedOrNot rather than HIBP, so each service may know about a breach the other doesn't. If your search comes back clean on one, run it on the other too.
How they compare
| Have I Been Pwned | Cactus | |
|---|---|---|
| Email breach search | Yes - the largest index | Yes - via XposedOrNot |
| Password check (k-anonymity) | Yes (Pwned Passwords) | Yes - same Pwned Passwords data |
| Alerts for future breaches | Yes ("Notify me") | No |
| Domain monitoring / API | Yes, incl. paid plans | No |
| Plain-language next steps | Brief | Step-by-step, beginner-friendly |
| Cost / signup | Free for individuals | Free, no signup |
| Bilingual (EN/FR) | No - English only | Yes |
Which should you use?
If you want the deepest email search, ongoing "Notify me" alerts, or domain monitoring for a business, Have I Been Pwned is the one to bookmark. Cactus gives you the same password check, plus breach lookups explained in plain language with the next steps spelled out - in French as well as English. HIBP's site is English-only; for a francophone parent or friend, Cactus is the version they can actually read.